Recently, distributed denial of service attacks have become a major nuisance
on the Internet. By properly filtering and rate limiting your network, you can
both prevent becoming a casualty or the cause of these attacks.

You should filter your networks so that you do not allow non-local IP source
addressed packets to leave your network. This stops people from anonymously
sending junk to the Internet.

If you have 100Mbit, or more, interfaces, adjust these numbers. Now you need
to determine how much ICMP traffic you want to allow. You can perform
measurements with tcpdump, by having it write to a file for a while, and
seeing how much ICMP passes your network. Do not forget to raise the
snapshot length!

If measurement is impractical, you might want to choose 5% of your available
bandwidth. Let's set up our class: